I'm trying to configure IPv6 packet inspection on a 2911 router (IOS 15.1(2)T5) but I'm unable to inspect router-generated traffic. There isn't an option "ipv6 inspect name xxxx udp router-traffic" as in IPv4. Thus I'm unable to ping from the router to a remote host.
I could solve the ping problem by simply adding a "permit icmp any any echo-reply" on my ACL, but I'm still unable to access TCP or UDP-based services (DNS, HTTP...).
Does anyone know if is it possible to enable IPv6 router-generated traffic, or is there any other solution for this problem? If so, how can I do that?
ipv6 inspect name SPI_DIALER1_OUT tcp
ipv6 inspect name SPI_DIALER1_OUT udp
ipv6 inspect name SPI_DIALER1_OUT icmp
ipv6 inspect name SPI_DIALER1_OUT ftp
ipv6 inspect SPI_DIALER1_OUT out
ipv6 traffic-filter acl6_dialer1_in in
ipv6 access-list acl6_dialer1_in
sequence 10 permit icmp any any nd-ns
sequence 20 permit icmp any any nd-na
sequence 30 permit icmp any any router-advertisement
sequence 40 permit icmp any any echo-reply
deny ipv6 any any log
The old Cisco IOS "inspect" system has effectively been deprecated. You should be using zone based firewalling now.
Here is the guide for IPv6 zone based firewall support.
If you want to get up to speed more quickly for ipv4 zone based firewall, try using my Config Wizard and copying the bits you need.